Hi all , new to the board, my friend suggested the smart people at this board would be able to solve this , thanks in advance

im not too sure about finding an easy way to do the seed

im not too familiar with c++ syntax

it gets passed a parameter it gets from the registry which is different for every machine because it seeds with user/SID

#define SEED_CONSTANT 0xba0da71dunsigned char secretKey[16]={ 0xa3,0x1e,0xf3,0x69,
							  0x07,0x62,0xd9,0x1f,
							  0x1e,0xe9,0x35,0x7d,
							  0x4f,0xd2,0x7d,0x48 };VOID Decode(_TCHAR output[], _TCHAR passEntry[], DWORD entryLen)
{
	HANDLE hToken;
	TCHAR sid[512], name[512],domain[512];
	SID *psid = (SID*)&sid;
	DWORD SidSize = 0, i;
	DWORD cchName,cchDomain,cchToken = 0;
	SID_NAME_USE peUse;
	TOKEN_USER *SidUser = (TOKEN_USER*)&sid;
	unsigned char *passData;
	BYTE output_pass[64];	unsigned char staticKey[16];
	unsigned int seed;
	unsigned char *a,*b;	memcpy(staticKey,secretKey,sizeof(staticKey));	if((OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken)))
	{
		if((GetTokenInformation(hToken,TokenUser,SidUser,sizeof(sid),&SidSize)))
		{
			cchName = cchDomain = sizeof(name);			if((LookupAccountSid(NULL,SidUser->User.Sid,
					name,&cchName,domain,&cchDomain,&peUse)))
			{
				seed = SEED_CONSTANT;				// mix username with key				for(i = 0;i < cchName;i++)
				{
					((unsigned int*)staticKey)[ i % 4 ] ^= name[i] * seed;
					seed *= 48271;
				}				// mix domain name with key				for(DWORD j = 0;j < cchDomain;i++,j++)
				{
					((unsigned int*)staticKey)[ i % 4 ] ^= domain[j] * seed;
					seed *= 48271;
				}				// decode  string				seed = (((unsigned int*)staticKey)[0] | 1);
				a = (unsigned char*)&passEntry[4];
				b = (unsigned char*)&passEntry[5];				for(i = 0;i < entryLen;i += 2)
				{
					passEntry[ i / 2 ] = (((a[i]-1)*16) | (b[i]-33)) - (seed & 0xff);
					seed *= 69621;
				}				// use protected storage to decrypt data				DATA_BLOB   DataIn, DataEntropy, DataOut;				DataEntropy.cbData = sizeof(staticKey);
				DataEntropy.pbData = (BYTE*)&staticKey;				DataIn.cbData = (i/2);
				DataIn.pbData = (BYTE*)passEntry;				//passEntry[(i/2)+4]=0;				ZeroMemory(output_pass,sizeof(output_pass));				CryptUnprotectData(&DataIn,						  // input data
								   NULL,					 // output description
								   &DataEntropy,			 // optional entropy
								   NULL,							 // reserved
								   NULL,							 // optional prompt structure
								   1,								// flags
								   &DataOut);				memcpy(output,DataOut.pbData,DataOut.cbData);
				LocalFree(DataOut.pbData);
			}
		}
		CloseHandle(hToken);
	}
}

.code
start:	invoke GetCurrentProcess
	invoke Decode,eax 
	invoke ExitProcess,NULLDecode proc uses edi hProcess:HANDLE
LOCAL hToken:HANDLE
LOCAL dwBytesRead:DWORD
LOCAL dwBytesRead2:DWORD
LOCAL dwSidType:DWORD
LOCAL pData:DWORD
LOCAL szDomainBuffer[256]:BYTE
LOCAL plUserName[256]:BYTEinvoke RtlZeroMemory,addr plUserName,sizeof plUserName
invoke OpenProcessToken, hProcess, TOKEN_QUERY, addr hToken
invoke GetTokenInformation, hToken, TokenUser, NULL, NULL, addr dwBytesReadinvoke GlobalAlloc, GPTR, dwBytesRead
mov pData, eaxinvoke GetTokenInformation, hToken,TokenUser, pData, dwBytesRead, addr dwBytesReadmov edi, pData
invoke LookupAccountSid, NULL, [edi][TOKEN_USER.User.Sid], addr plUserName, \
addr dwBytesRead, addr szDomainBuffer,\
addr dwBytesRead2, addr dwSidType			invoke MessageBox,0, addr plUserName,addr szDomainBuffer,0
						invoke MessageBox,0,[edi][TOKEN_USER.User.Sid],addr szDomainBuffer,0
invoke FreeSid,[edi][TOKEN_USER.User.Sid]
invoke GlobalFree, pData
ret
Decode endp

Edited October 1, 200816 yr by chillywilly

basically this code is the same code to revrse remote desktop *.rdp files and google type passwords